Australia’s Anti-Encryption Collision with GDPR Sub-Processing

On December 6th, Australia passed a surprising law with a global impact on privacy. The new law requires any Australian company to build backdoors to encrypted data and communications when instructed to do so by the government while requiring secrecy about the existence of such surveillance capabilities from individuals and enterprise customers. This unverifiable question of compromised encryption presents many technical threats but introduces international regulatory compliance challenges as well.

“It is likely not possible to build in functions to get around encryption without building in systemic weakness or vulnerability into a given product or service.”

-Australian Computer Society Inc.

This law also requires individual technologists to obey surveillance commands in silence on threat of up to 10 years of imprisonment (Section 64A), effectively conscripting every Australian civilian technology employee as a spy resource for government surveillance. If you’re thinking a warrant canary might bypass the secrecy order, the Australian Government was one step ahead, banning organizations from making any public reference to the “existence or non-existence of such a warrant” in 2015. Like the anti-encryption law, disclosing any information about warrants, even the lack of a warrant, carries a personal liability of imprisonment for two years.

While most software development lifecycles have security controls which would prevent a single employee from quietly compromising an application’s security, a company’s upper management could be forced to bypass these controls to implement weak encryption or insecure access without disclosing it to end users or customers of that software. What does this mean for international customers of Australian software platforms and applications?

About the Author

Amber Welch is a Privacy Technical Lead for Schellman & Company, LLC. With more than 6 years of experience as a technical writer and privacy and security governance consultant, she is dedicated to GDPR and other privacy-focused engagements. Amber has served as a panelist during Black Hat and published several articles on recent privacy developments. She holds a master’s degree from the University of Nebraska, as well as the CIPP/E and CCSK designations from the International Association of Privacy Professionals and the Cloud Security Alliance.